mirror of
https://github.com/grafana/grafana.git
synced 2024-12-01 13:09:22 -06:00
3be82ecd4e
If anonymous access is enabled for an org and there are multiple orgs. When requesting a page that requires user to be logged in and orgId query string is set in the request url to an org not equal the anonymous org, if the user is not logged in should be redirected to the login page. Fixes #26120 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
107 lines
3.3 KiB
Go
107 lines
3.3 KiB
Go
package middleware
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/grafana/grafana/pkg/bus"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
|
|
. "github.com/smartystreets/goconvey/convey"
|
|
)
|
|
|
|
func TestMiddlewareAuth(t *testing.T) {
|
|
Convey("Given the grafana middleware", t, func() {
|
|
reqSignIn := Auth(&AuthOptions{ReqSignedIn: true})
|
|
|
|
middlewareScenario(t, "ReqSignIn true and unauthenticated request", func(sc *scenarioContext) {
|
|
sc.m.Get("/secure", reqSignIn, sc.defaultHandler)
|
|
|
|
sc.fakeReq("GET", "/secure").exec()
|
|
|
|
Convey("Should redirect to login", func() {
|
|
So(sc.resp.Code, ShouldEqual, 302)
|
|
})
|
|
})
|
|
|
|
middlewareScenario(t, "ReqSignIn true and unauthenticated API request", func(sc *scenarioContext) {
|
|
sc.m.Get("/api/secure", reqSignIn, sc.defaultHandler)
|
|
|
|
sc.fakeReq("GET", "/api/secure").exec()
|
|
|
|
Convey("Should return 401", func() {
|
|
So(sc.resp.Code, ShouldEqual, 401)
|
|
})
|
|
})
|
|
|
|
Convey("Anonymous auth enabled", func() {
|
|
origEnabled := setting.AnonymousEnabled
|
|
t.Cleanup(func() {
|
|
setting.AnonymousEnabled = origEnabled
|
|
})
|
|
origName := setting.AnonymousOrgName
|
|
t.Cleanup(func() {
|
|
setting.AnonymousOrgName = origName
|
|
})
|
|
setting.AnonymousEnabled = true
|
|
setting.AnonymousOrgName = "test"
|
|
|
|
bus.AddHandler("test", func(query *models.GetOrgByNameQuery) error {
|
|
query.Result = &models.Org{Id: 1, Name: "test"}
|
|
return nil
|
|
})
|
|
|
|
middlewareScenario(t, "ReqSignIn true and request with forceLogin in query string", func(sc *scenarioContext) {
|
|
sc.m.Get("/secure", reqSignIn, sc.defaultHandler)
|
|
|
|
sc.fakeReq("GET", "/secure?forceLogin=true").exec()
|
|
|
|
Convey("Should redirect to login", func() {
|
|
So(sc.resp.Code, ShouldEqual, 302)
|
|
location, ok := sc.resp.Header()["Location"]
|
|
So(ok, ShouldBeTrue)
|
|
So(location[0], ShouldEqual, "/login")
|
|
})
|
|
})
|
|
|
|
middlewareScenario(t, "ReqSignIn true and request with same org provided in query string", func(sc *scenarioContext) {
|
|
sc.m.Get("/secure", reqSignIn, sc.defaultHandler)
|
|
|
|
sc.fakeReq("GET", "/secure?orgId=1").exec()
|
|
|
|
Convey("Should not redirect to login", func() {
|
|
So(sc.resp.Code, ShouldEqual, 200)
|
|
})
|
|
})
|
|
|
|
middlewareScenario(t, "ReqSignIn true and request with different org provided in query string", func(sc *scenarioContext) {
|
|
sc.m.Get("/secure", reqSignIn, sc.defaultHandler)
|
|
|
|
sc.fakeReq("GET", "/secure?orgId=2").exec()
|
|
|
|
Convey("Should redirect to login", func() {
|
|
So(sc.resp.Code, ShouldEqual, 302)
|
|
location, ok := sc.resp.Header()["Location"]
|
|
So(ok, ShouldBeTrue)
|
|
So(location[0], ShouldEqual, "/login")
|
|
})
|
|
})
|
|
})
|
|
|
|
Convey("snapshot public mode or signed in", func() {
|
|
middlewareScenario(t, "Snapshot public mode disabled and unauthenticated request should return 401", func(sc *scenarioContext) {
|
|
sc.m.Get("/api/snapshot", SnapshotPublicModeOrSignedIn(), sc.defaultHandler)
|
|
sc.fakeReq("GET", "/api/snapshot").exec()
|
|
So(sc.resp.Code, ShouldEqual, 401)
|
|
})
|
|
|
|
middlewareScenario(t, "Snapshot public mode enabled and unauthenticated request should return 200", func(sc *scenarioContext) {
|
|
setting.SnapshotPublicMode = true
|
|
sc.m.Get("/api/snapshot", SnapshotPublicModeOrSignedIn(), sc.defaultHandler)
|
|
sc.fakeReq("GET", "/api/snapshot").exec()
|
|
So(sc.resp.Code, ShouldEqual, 200)
|
|
})
|
|
})
|
|
})
|
|
}
|